I am currently trying to setup the winsyncagreement between my AD and
my FreeIPA servers. The network topology allows me to only connect the
FreeIPA server to the 636 port of AD, using TLS.
It seems that FreeIPA wants to connect to the port 389 using StartTLS
when I run the ipa-replica-manage command to create the winsync agreement.
I know that I can modify the parameters of the winsync agreement once it
is established, by modifying the cn=replica,cn=XXXXcom,cn=mapping
tree,cn=config elements.
But is there a way to specify the port as well as the protocol to use on
the first configuration of the winsync agreement ?
Thank you for your help,
Best regards,
Nathan M.

I am afraid that this is hardcoded in ipa-replica-manage and there is no
way to force the command to use LDAPS connection.

Is there any particular reason why incoming connections on AD DC's port
389 are blocked in your network?